FLIR Systems FLIR Thermal Camera PT-Series (PT-334 200562) Remote Root Exploit
Title: FLIR Systems FLIR Thermal Camera PT-Series (PT-334 200562) Remote Root Exploit
Advisory ID: ZSL-2017-5438
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 25.09.2017
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Software version: 10.0.2.43
Release: 1.3.4 GA, 1.3.3 GA and 1.3.2
Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
Nexus Server/2.5.29.0
Nexus Server/2.5.14.0
Nexus Server/2.5.13.0
lighttpd/1.4.28
PHP/5.4.7
[24.09.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
[09.10.2017] Vendor released patches to address these issues.
[2] https://www.exploit-db.com/exploits/42785/
[3] https://packetstormsecurity.com/files/144321
[4] https://cxsecurity.com/issue/WLB-2017090203
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/132778
[6] http://www.vfocus.net/art/20170926/13876.html
[7] http://seclists.org/fulldisclosure/2017/Sep/60
[8] http://www.securityweek.com/flaws-expose-flir-thermal-cameras-remote-attacks
[9] https://securityintelligence.com/news/thermal-security-camera-flaws-could-let-cybercriminals-launch-remote-attacks/
[10] https://www.security.nl/posting/532900/
[11] https://ipvm.com/reports/flir-thermal-vuln
[12] https://ipvm.com/reports/security-exploits
[13] http://flir.com/security/blog/details/?ID=87043
[14] http://securityaffairs.co/wordpress/64077/hacking/flir-thermal-camera-exploit.html
[15] http://flir.com/uploadedFiles/Security/Support/FNS_SetupInstructions_FC-Series-S-and-R-Security-Patch-v1.1.pdf
[16] http://flir.com/uploadedFiles/Security/Support/FLIR_Release_Notes_FC-Series-S-and-R-Security-Patch-v1.1.pdf
[17] http://flir.com/uploadedFiles/Security/Support/FLIR_Release_Notes_F-Series-PT-Series-and-D-Series-Security-Patch-v1.1.pdf
[18] http://flir.com/uploadedFiles/Security/Support/FNS_SetupInstructions_F-Series-PT-Series-and-D-Series-Security-Patch-v1.1.pdf
[19] http://www.securitylab.ru/news/488988.php
[20] https://www.tad.bg/en/post/backdoor-accounts-found-in-flir-thermal-security-cameras
[21] https://www.bleepingcomputer.com/news/software/researcher-finds-unremovable-backdoor-accounts-in-flir-thermal-security-cameras/
[22] http://securityinfo.it/2017/10/13/backdoor-vulnerabilita-nelle-termocamere-sicurezza-flir/
[23] https://www.hackeye.net/securitytetchnology/appsec/9821.aspx
[10.10.2017] - Added vendor status and reference [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [13], [14, [15], [16], [17] and [18]
[13.10.2017] - Added reference [19], [20] and [21]
[14.10.2017] - Added reference [22] and [23]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2017-5438
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 25.09.2017
Summary
FLIR's PT-Series of high-performance, multi-sensor pan/tilt cameras bring thermal and visible-light imaging together in a system that gives you video and control over both IP and analog networks. The PT-Series' precision pan/tilt mechanism gives you accurate pointing control while providing fully programmable scan patterns, radar slew-to-cue, and slew-to-alarm functions. PT-Series cameras define a new standard of performance with five models that provide full 640x480 thermal resolution.Description
FLIR Camera PT-Series suffers from multiple unauthenticated remote command injection vulnerabilities. The vulnerability exist due to several POST parameters in controllerFlirSystem.php script when calling the execFlirSystem() function not being sanitized when using the shell_exec() PHP function while updating the network settings on the affected device. This allows the attacker to execute arbitrary system commands as the root user and bypass access controls in place.--------------------------------------------------------------------------------
/maintenance/controllerFlirSystem.php:
--------------------------------------
Line 82: Command Injection in 'shell_exec' via '$customDateTime'
Line 91: Command Injection in 'shell_exec' via '$dhcpMode'
Line 92: Command Injection in 'shell_exec' via '$_GET'
Line 100: Command Injection in 'shell_exec' via '$dhcpMode'
Line 101: Command Injection in 'shell_exec' via '$dns'
Line 108: Command Injection in 'shell_exec' via '$dhcpMode'
Line 112: Command Injection in 'shell_exec' via '$interface'
Line 115: Command Injection in 'shell_exec' via '$interface'
Line 118: Command Injection in 'shell_exec' via '$interface'
Line 127: Command Injection in 'shell_exec' via '$_GET'
Line 132: Command Injection in 'shell_exec' via '$tz'
Line 136: Command Injection in 'shell_exec' via '$_GET'
Line 141: Command Injection in 'shell_exec' via '$servers'
--------------------------------------------------------------------------------
Vendor
FLIR Systems, Inc. - http://www.flir.comAffected Version
Firmware version: 8.0.0.64Software version: 10.0.2.43
Release: 1.3.4 GA, 1.3.3 GA and 1.3.2
Tested On
Linux 2.6.18_pro500-davinci_evm-arm_v5t_leLinux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
Nexus Server/2.5.29.0
Nexus Server/2.5.14.0
Nexus Server/2.5.13.0
lighttpd/1.4.28
PHP/5.4.7
Vendor Status
[23.03.2017] Vulnerability discovered.[24.09.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
[09.10.2017] Vendor released patches to address these issues.
PoC
flir0.shCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://blogs.securiteam.com/index.php/archives/3411[2] https://www.exploit-db.com/exploits/42785/
[3] https://packetstormsecurity.com/files/144321
[4] https://cxsecurity.com/issue/WLB-2017090203
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/132778
[6] http://www.vfocus.net/art/20170926/13876.html
[7] http://seclists.org/fulldisclosure/2017/Sep/60
[8] http://www.securityweek.com/flaws-expose-flir-thermal-cameras-remote-attacks
[9] https://securityintelligence.com/news/thermal-security-camera-flaws-could-let-cybercriminals-launch-remote-attacks/
[10] https://www.security.nl/posting/532900/
[11] https://ipvm.com/reports/flir-thermal-vuln
[12] https://ipvm.com/reports/security-exploits
[13] http://flir.com/security/blog/details/?ID=87043
[14] http://securityaffairs.co/wordpress/64077/hacking/flir-thermal-camera-exploit.html
[15] http://flir.com/uploadedFiles/Security/Support/FNS_SetupInstructions_FC-Series-S-and-R-Security-Patch-v1.1.pdf
[16] http://flir.com/uploadedFiles/Security/Support/FLIR_Release_Notes_FC-Series-S-and-R-Security-Patch-v1.1.pdf
[17] http://flir.com/uploadedFiles/Security/Support/FLIR_Release_Notes_F-Series-PT-Series-and-D-Series-Security-Patch-v1.1.pdf
[18] http://flir.com/uploadedFiles/Security/Support/FNS_SetupInstructions_F-Series-PT-Series-and-D-Series-Security-Patch-v1.1.pdf
[19] http://www.securitylab.ru/news/488988.php
[20] https://www.tad.bg/en/post/backdoor-accounts-found-in-flir-thermal-security-cameras
[21] https://www.bleepingcomputer.com/news/software/researcher-finds-unremovable-backdoor-accounts-in-flir-thermal-security-cameras/
[22] http://securityinfo.it/2017/10/13/backdoor-vulnerabilita-nelle-termocamere-sicurezza-flir/
[23] https://www.hackeye.net/securitytetchnology/appsec/9821.aspx
Changelog
[25.09.2017] - Initial release[10.10.2017] - Added vendor status and reference [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [13], [14, [15], [16], [17] and [18]
[13.10.2017] - Added reference [19], [20] and [21]
[14.10.2017] - Added reference [22] and [23]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
